From 1c3d33e146bdc48fad938af99c553ab8a93ff09a Mon Sep 17 00:00:00 2001
From: Cristian Calin <6627509+cristicalin@users.noreply.github.com>
Date: Wed, 25 Aug 2021 22:06:01 +0300
Subject: [PATCH] Calico: 3.20.0 policy update to allow access to
 endpointslices (#7899)

---
 roles/network_plugin/calico/templates/calico-cr.yml.j2 | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/roles/network_plugin/calico/templates/calico-cr.yml.j2 b/roles/network_plugin/calico/templates/calico-cr.yml.j2
index e5238d8d3..5a3d9286f 100644
--- a/roles/network_plugin/calico/templates/calico-cr.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-cr.yml.j2
@@ -13,6 +13,16 @@ rules:
       - configmaps
     verbs:
       - get
+{% if calico_version is version("v3.20.0", ">=") %}
+  # EndpointSlices are used for Service-based network policy rule
+  # enforcement.
+  - apiGroups: ["discovery.k8s.io"]
+    resources:
+      - endpointslices
+    verbs:
+      - watch
+      - list
+{% endif %}
   - apiGroups: [""]
     resources:
       - endpoints